We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems. In the event that customers are unable to apply the Solution immediately, Sitecore suggests that customers apply the Alternative Workaround in the interim and identify a way to apply the Solution.

Sitecore XP versions 9.1 Update-1 and later are not affected by this vulnerability.

Sitecore XP versions 8.2 and earlier are not affected by this vulnerability.

Important note!

Sitecore XP versions 8.2 and earlier are affected by the related Critical vulnerability SC2019-002-312864. Sitecore recommends immediately applying a fix for Critical vulnerability SC2019-002-312864 which is documented in the following security bulletin: https://kb.sitecore.net/articles/334035

Note: Upon implementing this workaround, content editing functionality will not be available in your Sitecore environments.

If content editing functionality cannot be temporary disabled, as an alternative, it is possible to configure IP-based security restrictions for \Website\sitecore\shell folder to block all access for external users and only allow access from trusted IP addresses which malicious actor is not able to use. For instructions on how to configure IP-based security restrictions, see http://www.iis.net/ConfigReference/system.webServer/security/ipSecurity.

14-Apr-2020: Hotfix installation instructions were updated. The hotfix package remains the same. If the hotfix has been applied using old instructions, your installation is secure and no further action is required. However, using the "Select roles" dialog in the User Manager application could result in the "The data could not be loaded" error. To fix the error, apply steps 1-3 from the Solution section of this article.

17-Apr-2020: Step #3 of the Solution section was updated to fully address the error with the User Manager application mentioned above. The hotfix package remains the same and your installation remains secure in case the hotfix has been applied using old instructions.

01-May-2020: Steps describing changes in the Sitecore.Xdb.MarketingAutomation.Tracking.config file were added to fix an issue with xDB config files merging. The hotfix package remains the same and your installation remains secure in case the hotfix has been applied using old instructions.